Citigroup Breach Exposes 210,000 Customer Details

American financial services company Citigroup has become the latest in a long line of organisations hit by hackers, after it admitted a damaging data breach.

Citigroup admitted on Wednesday that its Website was hacked earlier this month, the Financial Times initially reported the breach on Thursday.

The American banking group told Reuters that, thanks to “routing monitoring”, it had discovered unauthorised access at Citi Account Online, a Website used by customers to manage their cards.

Massive Breach

The bank said about one percent of its North American customers account details were affected by the breach. According to annual report, Citigroup has about 21.2 million customers in North America, implying that close to 212,000 accounts may have been hit.

Citigroup confirmed that customer names, account numbers and contact information including email addresses of the affected accounts were exposed. However, it said that birth dates, social security numbers, card expiration date and card security code (CVV) was not compromised.

“We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” a spokesperson told Reuters. “Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details.”

Poor Notification

The breach has exposed concerns about how Citigroup reacted to the hack.

According to the FT, a number of customers only discovered the issue last weekend when their card transactions were denied. This raises concerns about Citigroup’s notification procedures, a fact not helped by the startling lack of information on its Websites.

The Citi Account Online Website, for example, still does not have a notification of the breach on its landing page as of Thursday afternoon, and neither does the front page of the group’s main site.

Vulnerability Scanning

This latest hack has prompted some experts to warn about the ongoing importance of real-time vulnerability scanning.

“While in hacking situations like this there will never be a single point solution that could have mitigated such an attack, this case once again demonstrates the need for online services to deploy real-time vulnerability scanning,” said Ron Gula, CEO of Tenable Network Security.

“Organisations need to assume that malicious code is going to infiltrate their network, so what’s needed is a system that will continuously monitor the entire organisation’s network, to immediately flag when there is a compromise or potential vulnerability discovered from internal or external sources,” he said.

“Maintaining a holistic view of networks is the simple step that can catapult an organisation to being well on the way to protecting customer cardholder data. As data breach headlines like this continue to flow, and security requirements continue to grow, now is the time for IT departments and boardrooms alike to take a proactive view of regulation such as PCI,” he added.

Gula added that proactive protection of customers’ data may not be as complicated, costly or time-consuming as feared and that the situation is going to become more complicated, so now is the time to act.

“Moving forward, the IT network management environment is only going to become more complex and challenging, both internally and externally – so system administrators must ensure they have a holistic view of their networks and can see what’s happening, at every moment, to make sure they’re not the next company to leak their customer’s details,” he said.

Banking Attack

Whilst hacking attacks are becoming all too common nowadays as evidenced by the Playstation Network hack last month, it is relatively rare for hackers to succeed in breaching a bank itself, as they usually use the latest and greatest security methods.

Instead, hackers often target the retailers or partners that store large caches of credit card numbers. That said, the TJX hack in 2007 or Heartland Payment Systems in 2009 reportedly exposed more credit card accounts than the 212,000 Citigroup accounts.